A new family of Android ransomware has been discovered, which spreads via SMS. This comes after a two-year decline in the spread of Android ransomware.
Going by the name Android/Filecoder.C, the new Android ransomware has been detected by researchers at security firm ESET Mobile Security.
Android/Filecoder.C – How did it spread?
The new malware began spreading via various online forums such as Reddit and XDA Developers and has been in existence since July 12, 2019.
The malware popped up on these forums via pornographic links and QR codes to entice users into clicking the link. In addition to this, the malicious attackers use link shorteners such as Bitly, mostly to portray as authentic links. Currently, around 59 clicks have been initiated by users.
Reaching Android Devices
It tries to get into an Android smartphone to attack contact lists and eventually spread via SMS to other people.
The messages contain links to the ransomware-infected app — mostly a sex simulator app — and suggest that a user’s images are being used by the app — forcing users to click on it and find the truth.
The malware is available in 42 languages and spreads in accordance with the user’s device language settings. Additionally, it uses user’s contact names as a prefix to increase its reach and attract more people.
How does the “Sex Simulator Game” Ransomware work?
When a user receives a malicious SMS message and installs the malicious app by clicking on the link, the malware shows the sex simulator game as promised. Following this, it talks to its C&C (command and control) server, further spreads via messages, and deploys encryption/decryption methods, eventually to extract money from users.
The C&C server is used to access hardcoded addresses. Once accessed, the files are encrypted and a combination of a public and private key is generated to get money from the user. If the payment is processed, the malware will decrypt the files.
Furthermore, the malware doesn’t lock users out of their devices and can’t affect .zip or .zar files.
The researchers note that the Filecoder ransomware targets limited users and is poorly executed. But if the attacker had targeted a large number of users, it would have become a serious threat. Hence, it is better that we don’t fall for such baits and download apps only via authentic app stores.